CoCalc -- first

Path: cocalc/src / scripts / first_boot.py
Views: ³⁹⁵⁴⁹
1
#!/usr/bin/env python
2
###############################################################################
3
#
4
#    CoCalc: Collaborative Calculation in the Cloud
5
#
6
#    Copyright (C) 2016, Sagemath Inc.
7
#
8
#    This program is free software: you can redistribute it and/or modify
9
#    it under the terms of the GNU General Public License as published by
10
#    the Free Software Foundation, either version 3 of the License, or
11
#    (at your option) any later version.
12
#
13
#    This program is distributed in the hope that it will be useful,
14
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
15
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
#    GNU General Public License for more details.
17
#
18
#    You should have received a copy of the GNU General Public License
19
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20
#
21
###############################################################################
22

23

24

25
# This script is run by /etc/rc.local when booting up.  It does special configuration
26
# depending on what images are mounted, etc.
27

28
import os, socket, sys
29

30
hostname = socket.gethostname()
31

32
if hostname.startswith("salvus-base"):
33
    # no special config -- this is our template machine
34
    sys.exit(0)
35

36
if hostname.startswith('devel'):
37
    os.system('/root/ip_blacklist/block.sh')
38

39
    # do NOT want this node on tinc network -- that messes up bup server, making it listen only externally, etc.
40
    os.system("killall tincd")
41
    # And make sure tinc can't be started, which would happen later, and is a potential security hole -- this deletes the trusted private key.
42
    os.system("rm -rf /home/salvus/salvus/salvus/data/local/etc/tinc/")
43

44
    # mount pool and start bup
45
    os.system("zpool import -f pool; zfs mount -a; chmod og-r /projects; su - salvus -c 'cd /home/salvus/salvus/salvus/&& . smc-env&& export BUP_POOL=\"pool\"; ./bup_server start'")
46
    # replace this secret by something harmless (don't just delete since hub.coffee assumes file exists)
47
    os.system('echo ""> /home/salvus/salvus/salvus/data/secrets/cassandra/hub')
48

49
    # devel machines don't need this password...
50
    os.system('echo ""> /home/salvus/salvus/salvus/data/secrets/sendgrid_email_password')
51

52
    # setup a fake pem
53
    os.system("cp /home/salvus/salvus/salvus/data/secrets/sagemath.com/nopassphrase.pem.fake /home/salvus/salvus/salvus/data/secrets/sagemath.com/nopassphrase.pem")
54

55
    # Copy over newest version of certain scripts and set permissions
56
    for s in ['bup_storage.py']:
57
        os.system("cp /home/salvus/salvus/salvus/scripts/%s /usr/local/bin/; chmod og-w /usr/local/bin/%s; chmod og+rx /usr/local/bin/%s"%(s,s,s))
58

59
if hostname.startswith('compute'):
60
    # Delete secrets that aren't needed for the *compute machines* (only web machines)
61
    os.system('rm -rf /home/salvus/salvus/salvus/data/secrets/')
62

63
    if False:
64
        # Store crontabs in persistent storage, so they don't vanish on VM restart
65
        # disabled -- need to do something that takes into account how projects can move.
66
        if not os.path.exists("/mnt/home/crontabs/"):
67
           os.system("mkdir -p /mnt/home/crontabs/; chmod a+rx /mnt/home/; chgrp crontab /mnt/home/crontabs; chmod 1730 /mnt/home/crontabs")
68
        os.system("cd /var/spool/cron/; rm -rf crontabs; ln -s /mnt/home/crontabs .")
69

70
    # Copy over newest version of certain scripts and set permissions
71
    for s in ['bup_storage.py']:
72
        os.system("cp /home/salvus/salvus/salvus/scripts/%s /usr/local/bin/; chmod og-w /usr/local/bin/%s; chmod og+rx /usr/local/bin/%s"%(s,s,s))
73

74

75
    # Start the bup storage server:
76
    os.system("umount /projects; umount /bup/conf; umount /bup/bups; zpool import -f bup; zfs set mountpoint=/projects bup/projects; chmod og-r /projects")
77
    # It's critical to start tinc *after* the above ZFS pools are mounted (so we don't get rsync'd), but before we start bup_server (which needs to know the tun0 address)
78
    os.system("nice --19 /home/salvus/salvus/salvus/data/local/sbin/tincd")
79

80
    os.system("su - salvus -c 'cd /home/salvus/salvus/salvus/&& . smc-env&& ./bup_server start'")
81
    # Install crontab for snapshotting the bup pool, etc.
82
    os.system("crontab /home/salvus/salvus/salvus/scripts/root-compute.crontab")
83

84
    # Start our low-level iptables mostly-outgoing-blocking firewall
85
    os.system('cd /root/smc-iptables; ./restart.sh')
86
        
87
# Lock down some perms a little, just in case I were to mess up somehow at some point
88
os.system("chmod og-rwx -R /home/salvus/&")
89

90

91
if hostname.startswith('cassandra'):
92
    # Delete data that doesn't need to be on this node
93
    os.system("rm -rf /home/salvus/salvus/salvus/data/secrets/")
94
    # import and mount the relevant ZFS pool -- do this blocking, since once the machine is up we had better
95
    # be able to start cassandra itself.
96
    os.system("zpool import -f cassandra ")
97

98
    # set clearly permissions constraints: see -- http://www.datastax.com/docs/1.1/install/recommended_settings
99
    open("/etc/security/limits.conf","w").write("""
100
        * soft memlock unlimited
101
        * hard memlock unlimited
102
        * soft nofile 32768
103
        * hard nofile 32768
104
        * soft as unlimited
105
        * hard as unlimited
106
    """)
107

108
    os.system("sysctl -w vm.max_map_count=131072")
109

110
    # Ensure no swap: http://www.datastax.com/docs/1.1/install/recommended_settings
111
    os.system("swapoff --all")
112

113
if hostname.startswith('compute'):
114
    # Create a firewall so that only the hub nodes can connect to things like ipython and the raw server.
115
    os.system("/home/salvus/salvus/salvus/scripts/compute_firewall.sh")
116

117

118

119

120

121

122

123